Antonios Chariton <[email protected]> wrote: > DNS-ACCOUNT-01 extends (but does not replace) the DNS-01 challenge in > the following way: the DNS label under which the TXT record is created > to respond to the challenge is account dependent. This allows a > Subscriber to use multiple and separate subdomains to solve ACME > challenges for the same domain.
Understood.
> The current limitation of the DNS-01 challenge is that since CNAME
> records are unique per zone, a user would be unable to point the
> _acme-challenge label to more than one destination, so the following
> scenario is not supported:
> _acme-challenge.example.com. IN CNAME automated-dns-01.example.org.
> _acme-challenge.example.com. IN CNAME automated-dns-02.example.net.
I also use CNAMEs like this.
> Multi-Regional Deployments There are providers that have an
> infrastructure running in multiple regions and do not want to introduce
> dependencies across regions. They want to have the ability to issue
> certificates for the same domain as other regions, without relying on
> any particular one, to achieve resiliency, etc.
That seems like a particularly strong use case to me.
> We chose not to relay the requested label in the ACME server message,
> and instead have the client calculate it independently, for security
> purposes. It helps prevent cross-protocol attacks that could be
> introduced in the future, and it also helps protect the ACME client
> against malicious ACME servers or certificate misissuance.
I'm concerned that it is less easily predicted by the operator, which affects
the ability to easily install the desired CNAME, which seems to be a primary
consideration.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
